Using SSH to set up a VPN
Originally posted on the mailing lists:
http://www.mail-archive.com/general@brlug.net/msg18097.html
Guys,
Call this a mini-howto if you like. If you see any problems, please let me
know, so I can correct them.
If you're a roaming user or you're trying to link a satellite office to the
main network, SSH can handle the job. Other solutions exist, and SSH isn't
perfect, but this is probably the simplest trick out there.
OpenSSH since version 4.3 has the ability to set up TUN/TAP tunnels. I'm sure
most of you have set up port-forwarding via SSH, but this is a little
different than that. Instead of forwarding one TCP port to a host on the other
side of the target SSH server, TUN/TAP lets you route between networks as if
both networks are on the same LAN. We're setting up an IP tunnel here using
TUN, but you could just as easily set up a layer-2 bridge between two LANs by
using the TAP interface instead.
Let's say you're on a laptop in a coffee shop and want to reach your home or
office network. Your home LAN is on a 192.168.0.0/24 subnet. Bear in mind that
the router at home needs to have "PermitTunnel yes" in /etc/ssh/sshd_config,
and "Tunnel yes" and "TunnelDevice any:any" should be listed in
/etc/ssh_config on your laptop. Also, the tun driver needs to load on both
your laptop and the router. By the way, your router at home has the external
IP address 1.2.3.4.
On the laptop, log in to your router at home as root:
ssh -w0:0 1.2.3.4
which creates a tunnel between your laptop and the router at home. After
you've logged in to the router, run the command
ifconfig tun0 10.2.2.2 netmask 255.255.255.252
on the router, which will give the an IP address to the far end of the tunnel.
At this point, you don't have to do anything else on the router.
Back on your laptop, you have to set an IP address on your end of the tunnel,
and set up routing to your LAN at home:
ifconfig tun0 10.2.2.1 netmask 255.255.255.252
route add -net 192.168.0.0/24 dev tun0
At this point you should be able to ping any IP on your LAN at home, from your
laptop. Congrats, your VPN is set up and you're good to go.
If you were trying to set up a remote office, the only thing you'd need to do
is set up a route on the main office router to reach hosts on the satellite LAN.
Also, you could run autossh from /etc/rc.local, which would bring up the VPN
at boot, and it would be restarted automatically in the event the ssh connection
dropped for some reason.
So, how does it work? SSH allows you to set up a virtual interface, as noted,
which functions as a tunnel with two endpoints. You place an IP address at
each end of the tunnel, then set up a route at one or both ends to tell hosts
each end how to reach hosts on the other end. Routed traffic passes through
the tunnel, all nice and encrypted via SSH. Assuming everything is configured
correctly and the tun0 interface comes upon both ends, you can construct a
scriptable VPN with only four or five commands.
--Joey Kelly
joey@joeykelly.net